LinkedOut – LinkedIn iOS app stealing user information

Posted by

It looks like there will be no end to the plethora of security issues that plague the new generation of smartphone platforms. Popular professional social networking site, LinkedIn, has had 6.5 million user accounts and encrypted passwords reportedly leaked and posted in public. Mobile researchers at SkyCure have also reported that the LinkedIn iOS mobile app steals personal info from your phone and uploads to a server. Are the two related? Did the 6.5m breach happen through the mobile app? Some believe so.

LinkedIn Mobile

An excerpt from SkyCure’s blog:

LinkedIn’s mobile application has an interesting feature that allows users to view their iOS calendars within the app. However, it turns out that LinkedIn have decided to send detailed calendar entries of users to their servers. The app doesn’t only send the participant lists of meetings; it also sends out the subject, location, time of meeting and more importantly personal meeting notes, which tend to contain highly sensitive information such as conference call details and passcodes. If you have decided to opt-in to this calendar feature in iPhone, LinkedIn will automatically receive your calendar entries and will continue doing so every-time you open your LinkedIn app.

This is not the first time that this issue of violation of privacy of smartphone users is being reported. I have consistently spoken out about this new trend of monitoring and stealing user info via mobile apps. Remember When Your Smartphone Tracks Your Every Keypress, Message And Location. Remember Path?

The mobile is the most personal computing device ever, with lots of people storing notes, memos, appointments and more on it for convenience sake. Where apps are able to siphon this info without the knowledge of users, there is a problem. In this LinkedIn case, the user is not told that such detailed private info are being uploaded anywhere.

While there is no evidence that LinkedIn have used the uploaded info for any malicious use, the problem is there all the same. I don’t want my sensitive or private info in the cloud (remember I raised this recently?), where any group of hackers can access it and then publish or put to other use.

The question is: Is there a way to stop or avoid this? Mobile subscribers’ taste for apps is fast becoming a privacy nightmare. Yes; we wanted it. We got it.

Imagine the possibilities.

  1. I don’t know if I’m more diassapoined that things like this still go on in the mobile industry or that this time it was Linkedin knowing how professional they promote themselves to be. This brings to mind the discovering in April last year of iPhones recording/ tracking user movements and location secretly and storing that info on a computer when it was synced. Thankfully the data was never uploaded anywhere

    Its not safe anymore.

  2. “…I don’t want my sensitive or private info in the cloud (remember I raised this recently?), where any group of hackers can access it and then publish or put to other use.”

    That is the issue here. It is not whether LinkedIn uses the info they’ve been scraping maliciously or not. Moreso, we have the right to know when an app decides to take anything from our phones.

  3. @deoladoctor, of course they let us know which information of ours they’ll take from our phones (in their vague way). Because we’re so busy enjoying their app they’re not going to keep prompting us about which bits of information they use and when.

  4. The question is: Is there a way to stop or avoid this

    One way would be to encrypt sensitive info before storage. Ensure that your internet confection (mobile data) is disabled-when using the encryption program. (The encryption program itself may be a spyware)

    Depending on the importance of the info you are shielding, use strong encryption methods.

    Conclusively, realise that, as long as you are connected to the net, all your info (encrypted / decrypted) could be visible and accessible without your knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *